Lockboxes and Key Space Exhaustion

On a rare occasion, I’ll have a chance to check out a thrift shop or antique store and see what sorts of locks or security equipment they have for sale. I’ve wanted to check out those realtor lockboxes for some time, but didn’t want to spring $25 for minimal entertainment value.

Today, I stopped in a Goodwill and seen a Kiddie KeySafe unit for sale for $4.99. I decided that price point is exactly what I’d pay for an otherwise useless toy. The first thing I did was open the manual it came with:

Kiddie KeySafe
Kiddie KeySafe

The instructions state right away that “KeySafe is a convenience product, not a security product.”

Boy they couldn’t be more correct.

What is “Key Space”?

In cryptography, key space expresses how many permutations are available within the boundaries of a key. To put it plainly, if you can only have a PIN number that is four digits, then you can choose anything between 0000 and 9999. This gives you 10,000 possible permutations (or a key space of 10,000).

What is “Key Space Exhaustion”?

When you don’t know a password or PIN number, you’ll generally start guessing numbers. You may start with “0000”, then “0001” and keep going. Banks will see this sort of activity and freeze down an account, but lock boxes are not like that. You can try every single number until it opens. Key Space Exhaustion is when you go through, iteratively, each permutation until you get an “unlock” state.

What do Lock Boxes have to do with this?

I gave myself a rather relaxed time trial and found that I can enter a code (whether wrong or right) on average in around 5.25 seconds for a 5-digit code. Most people would assume that is probably pretty good, after all a lock that takes a 5-digit code has 100,000 permutations, right? That would mean I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked. I’d argue that’s reasonably secure.

I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked.

Except one little funny thing: Lockboxes do not have permutations that spread across the entire spectrum of possibilities. Some lockboxes have limiting factors, such as:

  • Numbers can only be entered once, so 1-2-3-4-5 is a valid code, but 1-1-2-3-4 would not work.
  • Number Ordering is Irrelevant, so 1-2-3-4-5 is equivalent to 5-4-3-2-1, which greatly brings down the key space.

Identifying Lock boxes with this Fault

You can identify the first issue (entering each number once) by pressing it and listening for a click. If it only clicks once, it probably only accepts the combination once. For the second issue — I do not know a way currently without actually testing it, but it is probably safe to assume most are designed this way.

As for my lock… This lock can accept either 5, 6 or 7 digit combinations. For sake of clarity, I am operating under the pretense that folks are going to use 5-digit codes (Pro-tip: It is probably the address of the building).

With those constraints in mind, how much does that reduce the Key Space?

Key LengthFull Key SpaceActual Key SpacePermutations
4-Digit10,000210List
5-Digit100,000252List
6-Digit1,000,000210List
7-Digit10,000,000120List

Yikes! That deescalated quickly.

As I mentioned before, I did a time trial. I set my lockbox to 01279. As you can see in my permutation lists on GitHub, that is the 20th 5-digit code available. It took 1:45 for me to “breach” the lock by going code to code, trying and clearing each one. So, remember when I said it would take 6 days to breach that 5-digit lock? Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes. That’s insanity. 22 minutes infers that I will hit your code last.

Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes.

This is a complete design fault and is something manufacturers should look to improve upon. The actual time it would take to breach this lock can vary, as I would have to try the 5, 6 and 7 digit lists. With that said, there are ways to make the breach more rapid for these variable-length locks. Stay tuned.

Leave a Reply

Your email address will not be published. Required fields are marked *